Application Security Processes Not Implemented at Many Enterprises, Survey

A new survey of developers and security professionals revealed that many organizations are still not baking security into the application development process.

According to research by Security Innovation and the Ponemon Institute, 80 percent of the developers and two-thirds of the security personnel surveyed do not have a process where they build security into their software applications. In addition, 47 percent of developers state that there is no formal mandate in place to remediate vulnerable software code.

Those stats only tell part of the story - according to the survey, 59 percent of the developers and close to half of the security pros reported their company had experienced between one and 10 data breaches during the past two years due to an application being compromised or hacked.

“We set out to measure the tolerance to risk across the established phases of application security, and define what works and what hasn’t worked, how industries are organizing themselves and what gaps exist,” said Larry Ponemon, CEO of the Ponemon Institute, in a statement. “We accomplished that, but what we also found was a drastic divide between the IT Security and Development organizations that is caused by a major skills shortage and a fundamental misunderstanding of how an application security process should be developed. This lack of alignment seems to hurt their business based on not prioritizing secure software, but also not understanding what to do about it.”

The survey fielded answers from more than 800 IT security pros and developers from enterprise organizations. In addition to the other statistics, researchers found that exploited vulnerable code in Web 2.0/social media applications ranked as the second-highest root cause of data breaches, behind SQL injection attacks, according to 29 percent of developers and 24 percent of security personnel.

“We commissioned this study with Ponemon because we feel the industry still needs a much higher level of awareness around application security,” said Ed Adams, CEO of Security Innovation, in a statement. “What emerged in this study was that companies don’t seem to be looking at the root causes of data breaches, and they aren’t moving very fast to bridge the existing gaps to fix the myriad of problems. The threat landscape has grown substantially in scope, most notably as our survey respondents stated that Web 2.0 and mobile attacks are the targets of the next wave of threats beyond just Web applications.”